The FFIEC expects the boards of directors and senior
management of financial institutions to oversee and manage outsourcing
relationships. Financial institutions should institute an outsourcing
process that includes:

a risk assessment to identify the institution's needs and requirements;

proper due diligence to identify and select a provider;

written contracts that clearly outline duties, obligations and responsibilities
of the parties involved; and

ongoing oversight of outsourcing technology services.

The guidance encourages managers to consider additional
risk-management controls when services involve the use of the Internet.
The Internet, with its broad geographic reach, ease of access and anonymity,
requires institutions' close attention to maintaining secure systems,
detecting intrusions, developing reporting systems, and verifying and
authenticating customers.